域名最早
注册时间是在2008年,使用至少22个不同IP地址,
服务器运行Ubuntu Linux发行版。卡巴斯基与GoDaddy和OpenDNS合作,将域名重定向到其控制的
服务器上,收集到了恶意程序上传的数据。
安全研究人员发现,Flame和Duqu有许多共同特征,都对受感染机器上的Auto
cad绘图文件感兴趣。为了限制窃取的文件数量和避免上传无关的文件,Flame会从PDF、电子表格和
word文档中提取1KB样本,压缩和上传样本到命令控制
服务器,然后攻击者发出指令抓取他们感兴趣的特定文档。
与Duqu不同之处是,Duqu会利用SSH端口转发伪装攻击者的真实身份,而Flame则是直接上传到
服务器,换句话说,它的幕后攻击者没有Duqu的操作者谨慎。
DuquFlame
Server OSCentOS LinuxUbuntu Linux
Control scriptsRunning on remote server, shielded through SSH port forwardingRunning on servers
Number of victims per server2-350+
Encryption of connections to serverSSL + proprietary AES-based encryptionSSL
Compression of connectionsNoYes, Zlib and modified PPMD
Number of known C;C’s domainsn/a80+
Number of known C;C IPs515+
Number of proxies used to hide identity10+Unknown
Time zone of C;C operatorGMT+2 / GMT+3Unknown
Infrastructure programming.NETUnknown
Locations of serversIndia, Vietnam, Belgium, UK, Netherlands, Switzerland, Korea, etc...Germany, Netherlands, UK, Switzerland, Hong Kong, Turkey, etc...
Number of built-in C;C IPs/domain in malware15, can update list
SSL certificateself-signedself-signed
Servers statusMost likely hackedMost likely bought
SSH connectionsnoyes
